Katila

Privacy Notice

Last updated 2026

Who we are

This Privacy Notice explains how we collect, use and protect personal data when you use Katila. It is written to align with the principles of the EU General Data Protection Regulation ("GDPR") and similar data protection laws. In this notice, "we", "us" and "our" refer to the operator of the Katila service, and "you" refers to an individual user or visitor. It covers both account holders (typically short-term-rental hosts and property managers) and guests who use a stay link or ask the AI guest assistant a question during their stay.

Categories of data we process

Depending on how you use Katila, we may process the following categories of data:

  • Account information – such as your email address, password hash and basic profile settings needed to create and secure your account.
  • Inventory content – details you store in items, attributes, templates and attachments, which may include descriptions, notes, dates, identifiers, and uploaded files you choose to associate with an item.
  • Usage and device data – technical information such as IP address, browser type, operating system, approximate region, access times, and pages or features used. This is typically collected via logs and similar mechanisms to keep the service secure and reliable.
  • Access interactions – when someone visits a public item link, we may record that an access occurred, along with limited technical metadata, to help you understand how your links are being used and to protect against abuse.
  • Guest stay and assistant data – when a host shares a stay link, we process the stay dates and any guest name hint the host enters, so the right property guide is shown during the stay. Questions a guest asks the AI guest assistant are processed to generate an answer (see "AI assistants" below); we do not store guest conversations — only per-stay usage counters (such as request and token counts) used to enforce fair-use limits.
  • Billing and subscription data – as part of your subscription, we process information necessary to manage it, including the number of properties on your account, billing status, payment references and renewal dates. Full payment card data is handled by our payment service provider (Stripe) and is not stored by us.
  • Support communications – messages you send to support (for example, by email), including any information you choose to include in those messages.

Purposes and legal bases (GDPR)

Under GDPR we must identify a legal basis for each purpose of processing. We rely on the following:

  • To provide and maintain the service – including authenticating users, storing your inventory content and attachments, rendering dashboards, and serving public item pages you choose to expose. This processing is based on performance of a contract, as it is necessary to deliver the Katila service you sign up for.
  • To manage billing and subscriptions – including processing subscription upgrades, renewals, and cancellations, and enforcing plan limits. This processing is based on performance of a contract and compliance with legal obligations related to accounting and tax.
  • To provide AI-assisted answers – when a host uses Katila's AI capture tools or host assistant, or a guest asks the AI guest assistant a question, we process the submitted text together with the relevant property information to generate a reply. For account holders this is based on performance of a contract; for guests it is based on our legitimate interests (and those of the host) in answering stay questions quickly and accurately.
  • To keep the service secure and reliable – for example, detecting misuse, preventing abuse, troubleshooting issues and generating aggregated usage statistics. This processing is based on our legitimate interests in operating a secure and efficient service that our users can rely on.
  • To communicate with you – such as sending essential service messages, security notifications, or replies to your support requests. These communications are necessary for performance of a contract and our legitimate interests in providing effective support.
  • To comply with law – including responding to lawful requests from public authorities and meeting record-keeping obligations. This processing is based on compliance with legal obligations.

Where we rely on legitimate interests, we only do so after assessing that our interests are not overridden by your fundamental rights and freedoms. If we ever rely on consent for a particular use of your data, you will be able to withdraw that consent at any time.

How we share data

We do not sell your personal data. We share it only when necessary and under strict safeguards:

  • Service providers (processors) – we use specialised third parties to host infrastructure, store files, deliver email, provide authentication, process payments, generate AI assistant replies and perform other operational tasks. These providers only process data on our instructions, under written data protection agreements.
  • Other users and the public – when you choose to make an item or specific attributes public, the corresponding information becomes accessible to anyone with the link. You control which attributes are public and can change visibility settings at any time.
  • Legal and compliance – we may disclose information if required to do so by law, or in response to valid legal processes, or to protect our rights, safety, or the rights and safety of others.

AI assistants

Katila includes AI features: capture tools and an assistant for hosts, and a guest assistant that answers questions about a property during a stay. To generate a reply, the text you submit and the relevant property content are sent to our AI service provider, OpenAI, which processes them on our behalf and under our instructions; this data is not used to train OpenAI's models.

The guest assistant only sees property content the host has chosen to share with guests — content marked private is excluded before any AI processing takes place. Guest conversations are not stored by Katila: questions and answers are processed transiently to produce the reply, and only per-stay usage counters are retained to enforce fair-use limits. The assistant is not monitored in real time and is not a channel for emergencies — guests in danger should call their local emergency number.

International data transfers

Our service may be operated from, and data may be stored in, countries other than your own. Where personal data is transferred from the European Economic Area (EEA) or United Kingdom to a country that has not been recognised as providing an adequate level of protection, we rely on appropriate safeguards under GDPR, such as standard contractual clauses or equivalent legal mechanisms, combined with technical and organisational measures designed to protect your data.

Retention of data

We retain personal data only for as long as necessary for the purposes described in this notice:

  • Account and profile data are kept for as long as your account remains active and for a limited period thereafter where needed for legitimate business, security or legal reasons.
  • Inventory items, attributes, attachments and templates are stored until you delete them or delete your account, subject to reasonable backup and logging periods.
  • Guest assistant conversations are not retained: questions are processed to produce an answer and then discarded. Stay records (dates and any guest name hint) and per-stay usage counters are kept while the stay link is operative and for a limited period thereafter, or until the host deletes them.
  • Billing and subscription records are retained as required by applicable tax and accounting laws.
  • Log and security data may be kept for a period sufficient to investigate incidents, defend against claims and improve service reliability.

When data is no longer needed, we either delete it or irreversibly anonymise it so that it can no longer be linked back to an identifiable individual.

Your rights under GDPR

Subject to certain conditions and limitations, individuals in the EEA, UK and other jurisdictions with similar laws have the following rights:

  • Right of access – to obtain confirmation as to whether we process your personal data and to receive a copy of that data.
  • Right to rectification – to have inaccurate or incomplete personal data corrected.
  • Right to erasure – to request deletion of your personal data where there is no longer a legal basis for us to keep it ("right to be forgotten").
  • Right to restriction – to ask us to limit the processing of your personal data in certain circumstances.
  • Right to data portability – to receive personal data you provided to us in a structured, commonly used and machine-readable format and to transmit it to another controller where technically feasible.
  • Right to object – to object to processing based on our legitimate interests, on grounds relating to your particular situation. We will stop processing unless we can demonstrate compelling legitimate grounds or the processing is required for legal claims.
  • Right to withdraw consent – where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

You can exercise many of these rights directly in the product—for example by updating your profile, changing visibility settings, exporting data or deleting items. If you need additional assistance, contact us using the details below.

Your controls and choices

From the Account and Items pages, you can manage what you store and how it is shared:

  • Adjust whether an item is private or public, and control visibility at the attribute level where supported by your plan.
  • Add, update or delete items, attributes, templates and attachments at any time.
  • Delete your account, which will remove your items, templates, attachments and user preferences from the active service after a short processing period.

Security

We implement technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include access controls, encryption in transit, least-privilege practices, monitoring and regular review of our infrastructure and application behaviour. No online service can guarantee absolute security, but we work continuously to improve our defences.

Children's data

Katila is not directed at children and is intended for use by adults and organisations. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us so we can take appropriate action.

Contact and complaints

If you have questions about this Privacy Notice or how we handle personal data, you can contact us at support@katila.ai. If you are located in the EEA or UK and believe that our processing of your personal data infringes applicable law, you also have the right to lodge a complaint with your local data protection authority.

Changes to this notice

We may update this Privacy Notice from time to time to reflect changes in our service, legal requirements or best practices. When we make material changes, we will update the "Last updated" date above and, where appropriate, provide additional notice within the product. Your continued use of Katila after an update means you accept the revised notice.